Age | Commit message (Collapse) | Author |
|
Since we have changed imx-mkimage flash_spl_container target
to flash_spl, also update it in u-boot ahab document.
Signed-off-by: Ye Li <ye.li@nxp.com>
Acked-by: Peng Fan <peng.fan@nxp.com>
|
|
The csf_additional_images.txt example should match with
mx6_mx7_secure_boot.txt guide.
Fix addresses provided in csf_additional_images.txt CSF
example.
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
|
|
When booting in low power or dual boot modes the M4 binary is
authenticated by the M4 ROM code.
Add an option in hab_status command so users can retrieve M4 HAB
failure and warning events.
=> hab_status m4
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
No HAB Events Found!
Add command documentation in mx6_mx7_secure_boot.txt guide.
As HAB M4 API cannot be called from A7 core the code is parsing
the M4 HAB persistent memory region. The HAB persistent memory
stores HAB events, public keys and others HAB related information.
The HAB persistent memory region addresses and sizes can be found
in AN12263 "HABv4 RVT Guidelines and Recommendations".
Reviewed-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
|
|
Fix a typo in path provided for imx-mkimage iMX8QM and iMX8QXP directories.
Reported-by: Marius Grigoras <marius.grigoras@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
|
|
The commands included in introduction guide should not be used as
reference for programming the SRK Hash fuses as they are in big
endian.
Add a note to avoid a possible mistake.
Reported-by: Clement Le Marquis <clement.lemarquis@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
|
|
Since commit 771b824728ca ("MLK-20919 imx8: ahab: Add command to
close the chip") the U-Boot is able to move the lifecycle from
NXP closed to OEM closed.
Update AHAB guides to use U-Boot ahab_close command instead of SCFW CLI.
As the procedure is now independent of SCFW terminal we can remove
this condition from documentation.
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
|
|
Starting in L4.14.78 release, the OP-TEE CAAM driver does not set the
JROWN_NS field in case LMID is locked.
We need to include the Unlock MID command in CSF file otherwise device
will fail to boot in HAB closed mode.
Add section to avoid crash when OP-TEE is enabled.
Reported-by: Frank Zhang <frank.zhang@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
|
|
Since commit cf2acc5b7cde ("MLK-18942-2 imx8: ahab: Add ahab_status
command") the U-Boot is able to display and parse the SECO events.
Update AHAB guides to use U-Boot ahab_status command instead of
SCFW CLI.
Starting in SECO FW v0.2.0 engineering release an invalid image
integrity is logged as an event in open mode. As ahab_status
is able to return this event the note can be removed.
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
|
|
The set_priblob_bitfield command is enabled by selecting
CONFIG_CMD_PRIBLOB.
Fix typo in mx6_mx7_encrypted_boot.txt guide.
Signed-off-by: Breno Lima <breno.lima@nxp.com>
|
|
documentation structure
There is no need to have an extra hab directory under doc/imx/:
- doc/imx/hab/ahab/
- doc/imx/hab/habv4/
Remove extra hab directory for a cleaner documentation structure.
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
|
|
i.MX8x SPL targets
The current U-Boot implementation includes SPL targets for i.MX8QM and
i.MXQXP MEK boards:
- imx8qxp_mek_spl_defconfig
- imx8qxp_mek_spl_fspi_defconfig
- imx8qm_mek_spl_defconfig
- imx8qm_mek_spl_fspi_defconfig
The U-Boot proper and ATF are included in an additional container being
necessary a different procedure for signing the flash.bin image.
Add a step-by-step guide covering the signing procedure.
Add a CSF example for the 3rd container.
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Frank Zhang <frank.zhang@nxp.com>
Reviewed-by: Marius Grigoras <marius.grigoras@nxp.com>
Reviewed-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
|
|
and 8X families
Add AHAB secure boot step-by-step guide for i.MX8 and i.MX8x families
devices.
Add 3 CSF example files:
- Example to sign flash.bin only using SRK keys.
- Example to sign flash.bin using a subordinate SGK key.
- Example to sign Linux image only using SRK keys.
Signed-off-by: Clement Le Marquis <clement.lemarquis@nxp.com>
Reviewed-by: Frank Zhang <frank.zhang@nxp.com>
Reviewed-by: Marius Grigoras <marius.grigoras@nxp.com>
Reviewed-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
|
|
The AHAB is currently supported in i.MX8QXP and i.MX8QM devices.
Add an introductory document containing the following topics:
- AHAB Secure Boot Architecture
- System Control Unit (SCU) introduction
- Security Controller (SECO) introduction
- i.MX8/8x secure boot flow
- AHAB PKI tree generation
- SRK Table and SRK Hash generation
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Frank Zhang <frank.zhang@nxp.com>
Reviewed-by: Marius Grigoras <marius.grigoras@nxp.com>
Reviewed-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
|
|
The HABv4 secure boot procedure is now documented in different files:
.
└── habv4
├── csf_examples
│ ├── additional_images
│ │ └── csf_additional_images.txt
│ ├── mx6_mx7
│ │ ├── csf_uboot_fast_authentication.txt
│ │ └── csf_uboot.txt
│ └── mx8m_mx8mm
│ ├── csf_fit.txt
│ └── csf_spl.txt
├── guides
│ ├── mx6_mx7_secure_boot.txt
│ ├── mx8m_mx8mm_secure_boot.pdf
│ └── mx8m_mx8mm_secure_boot.txt
├── introduction_habv4.txt
└── script_examples
└── genIVT.pl
The old documentation secure_boot.txt can be removed.
Reviewed-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
|
|
i.MX8MM devices
Add HABv4 documentation for i.MX8M and i.MX8MM targets covering the
following topics:
- How to sign an securely boot an flash.bin image.
- How to extend the root of trust for additional boot images.
- Add 2 CSF examples.
Reviewed-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
|
|
Signed-off-by: Clement Le Marquis <clement.lemarquis@nxp.com>
|
|
and i.MX 7 family devices
Add useful documentation for encrypted boot:
- Add 2 CSF examples for encrypt and sign
- How to encrypt and sign a U-Boot binary on closed device
- Why and how increase the PRIBLOB bitfield from CAAM SCFGR
Signed-off-by: Clement Le Marquis <clement.lemarquis@nxp.com>
|
|
i.MX7 family devices
Add HABv4 documentation for u-boot-dtb.imx targets covering the
following topics:
- How to sign an securely boot an u-boot-dtb.imx image.
- How to extend the root of trust for additional boot images.
- Add 3 CSF examples.
- Add IVT generation script example.
Reviewed-by: Ye Li <ye.li@nxp.com>
Reviewed-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
|
|
The HABv4 is supported in i.MX 50, i.MX 53, i.MX 6, i.MX 7,
series and i.MX 8M, i.MX8MM devices.
Add an introductory document containing the following topics:
- HABv4 Introduction
- HABv4 Secure Boot
- HABv4 Encrypted Boot
- HAB PKI tree generation
- HAB Fast Authentication PKI tree generation
- SRK Table and SRK Hash generation
Reviewed-by: Ye Li <ye.li@nxp.com>
Reviewed-by: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
|
|
There is no need to have README in all i.MX documents name.
Remove README from i.MX docs name and add .txt file extension.
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
|
|
The Serial Download Protocol feature is availible in various
i.MX SoCs.
Move README.sdp document to imx/misc directory.
Signed-off-by: Breno Lima <breno.lima@nxp.com>
|
|
The current High Assurance Boot document README.mxc_hab
include details for the following features in a single file:
- HAB Secure Boot
- HAB Encrypted Boot
Split HAB documentation in a specific directory for a cleaner
documentation structure, subsequent patches will include more
content in HAB documentation.
Signed-off-by: Breno Lima <breno.lima@nxp.com>
|
|
The following documents describe device details according to the
i.MX family:
- README.imx25
- README.imx27
- README.imx5
- README.imx6
- README.mxs
Move all device common related document to doc/imx/common for a better
directory structure.
Signed-off-by: Breno Lima <breno.lima@nxp.com>
|
|
The following documents describe the image type used by the mkimage
tool to generate U-Boot images for i.MX devices.
- README.imximage
- README.mxsimage
Move all mkimage related document to doc/imx/mkimage for a better
directory structure.
Signed-off-by: Breno Lima <breno.lima@nxp.com>
|
|
Currently the Serial Download Protocol tools and procedure are
documented in two places:
- doc/imx/README.sdp
- doc/imx/README.imx6
It is better to consolidate all SDP related information into
README.sdp file, so move the content from README.imx6 to
README.sdp.
Signed-off-by: Breno Lima <breno.lima@nxp.com>
|
|
Currently the U-Boot doc/ directory contains the following files
that are only relevant for i.MX devices:
- doc/README.imx25
- doc/README.imx27
- doc/README.imx5
- doc/README.imx6
- doc/README.imximage
- doc/README.mxc_hab
- doc/README.mxs
- doc/README.mxsimage
- doc/README.sdp
Move all content to a common i.MX folder for a better documentation
structure.
Signed-off-by: Breno Lima <breno.lima@nxp.com>
|
|
doc/device-tree-bindings
Currently the U-Boot project contains 2 documentation directories:
- doc/
- Documentation/
The Documentation directory only contains device tree bindings related
content, so move the 2 files to doc/device-tree-bindings/.
This commit is based in a previous submission in U-Boot upstream:
http://git.denx.de/?p=u-boot.git;a=commit;h=ad7061ed742e1312289644268859a0f4b512aaee
Signed-off-by: Breno Lima <breno.lima@nxp.com>
|
|
The README.mxc_hab is outdated and need improvements, add the following
modifications:
- Reorganize document and remove duplicate content
- Add CST download link
- Update CST package name
- Align command lines with CST v2.3.3
- Update U-Boot binary name
- Remove CSF padding since is not documented in AN4581
Signed-off-by: Breno Lima <breno.lima@nxp.com>
|
|
Currently the High Assurance Boot procedure is documented in two
places:
- doc/README.imx6
- doc/README.mxc_hab
It is better to consolidate all HAB related information into
README.mxc_hab file, so move the content from README.imx6 to
README.mxc_hab.
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
|
|
With the contents of config_distro_defaults.h migrated to Kconfig,
we can remove this header file completely
Signed-off-by: Adam Ford <aford173@gmail.com>
|
|
README.efi describes two different concepts:
* U-Boot exposing the UEFI API
* U-Boot running on top of UEFI.
This patch splits the document in two.
Religious references are removed.
The separation of the concepts makes sense before detailing the internals
of U-Boot exposing the UEFI API in a future patch.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
|
|
This commit cleans up the README.watchdog by removing the reminescent of
ADI's Blackfin architecture removed some time ago.
Signed-off-by: Lukasz Majewski <lukma@denx.de>
|
|
|
|
The original text is from the time that the config options were not
converted to Kconfig.
After the conversion to Kconfig only CONFIG_SECURE_BOOT and
CONFIG_CMD_DEKBLOB need to be selected by the user.
The other config options are automatically selected by the Kconfig
logic.
Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
Reviewed-by: Breno Lima <breno.lima@nxp.com>
|
|
The EFI implementation does not fit into any of the existing categories.
Provide LOGC_EFI so that EFI related message can be filtered.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
|
|
When functions return an error it propagates up the stack to the point
where it is reported. Often the error code provides enough information
about the root cause of the error that this is obvious what went wrong.
However in some cases the error may be hard to trace. For example if a
driver uses several devices to perform an operation, it may not be
obvious which one failed.
Add a log_ret() macro to help with this. This can be used to wrap any
error-return value. The logging system will then output a log record when
the original error is generated, making it easy to trace the call stack
of the error.
This macro can significantly impact code size, so its use is controlled
by a Kconfig option, which is enabled for sandbox.
Signed-off-by: Simon Glass <sjg@chromium.org>
|
|
Add some notes about recent new features.
Signed-off-by: Simon Glass <sjg@chromium.org>
|
|
Xilinx changes for v2018.03
- Several Kconfig fixes (also moving configs to defconfigs)
- Some DTS updates
- ZynqMP psu rework based on Zynq concept
- Add low level initialization for zc770 and zcu102
- Add support for Zynq zc770 x16 nand configuration
- Add mini nand/emmc ZynqMP targets
- Some arasan nand changes
|
|
zc770-xm011 is also added and supported. Reflect this in README.
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
|
|
The appended README explains how U-Boot and iPXE can be used
to boot a diskless system from an iSCSI SAN.
The maintainer for README.efi and README.iscsi is set.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
[agraf: s/Adress/Address/]
Signed-off-by: Alexander Graf <agraf@suse.de>
|
|
|
|
NAND and QSPI devices are now supported, so mark
them as such.
Cc: Michal Simek <michal.simek@xilinx.com>
Signed-off-by: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
|
|
Update documentation to reflect adopting the Linux DT bindings.
Tested on TI K2G platform:
Tested-by: Vignesh R <vigneshr@ti.com>
Tested on a socfpga-cyclonev board:
Tested-by: Simon Goldschmidt <sgoldschmidt@de.pepperl-fuchs.com>
Signed-off-by: Jason Rush <jarush@gmail.com>
Reviewed-by: Jagan Teki <jagan@openedev.com>
Acked-by: Simon Goldschmidt <sgoldschmidt@de.pepperl-fuchs.com>
Acked-by: Marek Vasut <marex@denx.de>
|
|
Migrate the following symbols to Kconfig:
CONFIG_FS_EXT4
CONFIG_EXT4_WRITE
The definitions in config_fallbacks.h can now be expressed in Kconfig.
Signed-off-by: Tuomas Tynkkynen <tuomas@tuxera.com>
|
|
The following config symbols are only defined once and never referenced
anywhere else:
CONFIG_AMCORE
CONFIG_ASTRO5373L
CONFIG_M52277EVB
CONFIG_M5253DEMO
CONFIG_M5253EVBE
CONFIG_M5275EVB
CONFIG_M54418TWR
CONFIG_STMARK2
Most of them are config symbols named after the respective boards which
seems to have been a standard practice at some point.
Signed-off-by: Tuomas Tynkkynen <tuomas@tuxera.com>
|
|
It's mostly obvious, except that QEMU is annoying and requires an
explicit '-cpu cortex-a57' (or some other 64-bit core) to actually run
in 64-bit mode.
While at it, remove the references to setting the ARCH environment
variable; that is not used in U-Boot.
Signed-off-by: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>
Reviewed-by: Tom Rini <trini@konsulko.com>
|
|
The DT spec demands a unit-address in a node name to match the "reg"
property in that node. Newer dtc versions will throw warnings if this is
not the case.
Fix all occurences in various documentation files where this was not
observed, to not give bad examples to the reader.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
|
|
The DT spec demands a unit-address of a node name to match the "reg"
property in that node. Newer dtc versions will throw warnings if this is
not the case.
Fix all occurences in the FIT image example files where this was not
observed, to not give bad examples to the reader.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
|
|
The DT spec demands a unit-address in a node name to match the "reg"
property in that node. Newer dtc versions will throw warnings if this is
not the case.
Fix all occurences in the FIT image documentation files where this was not
observed, to not give bad examples to the reader.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
|
|
Add documents to describe NX25 and AE250.
Also update other documents for RISC-V.
Signed-off-by: Rick Chen <rick@andestech.com>
Signed-off-by: Rick Chen <rickchen36@gmail.com>
Signed-off-by: Greentime Hu <green.hu@gmail.com>
|